Matthew Wilding

High-speed, analyzable simulators

High-speed simulation models are routinely developed during the design of complex hardware systems in order to predict performance, detect design flaws, and allow hardware/software co-design. Writing such an executable model in ACL2 brings the additional benefit of formal analysis; however, much care is required to construct an ACL2 model that is both fast and analyzable. In this chapter, we develop techniques for the construction of high-speed formally analyzable simulators in ACL2, and demonstrate their utility on a simple processor model.

Efficient execution in an automated reasoning environment

We describe a method that permits the user of a mechanized mathematical logic to write elegant logical definitions while allowing sound and efficient execution. In particular, the features supporting this method allow the user to install, in a logically sound way, alternative executable counterparts for logically defined functions. These alternatives are often much more efficient than the logically equivalent terms they replace. These features have been implemented in the ACL2 theorem prover, and we discuss several applications of the features in ACL2.

Formal Verification of Partition Management for the AAMP7G Microprocessor

The AAMP7G microprocessor, currently in use in Rockwell Collins high-assurance system products, uniquely supports strict time and space partitioning in hardware. In this chapter, we describe the formal modeling and proof effort that led to an NSA multiple independent levels of security (MILS) certification for the AAMP7G. The MILS certificate allows a single AAMP7G CPU to concurrently process Unclassified through Top Secret codeword information. We discuss the formal model architecture of the AAMP7G at several levels, including the microcode and instruction set levels. We describe how the ACL2 theorem prover was used to develop a formal security specification, called GWV, and outline a mathematical proof (machine-checked using ACL2) which established that the AAMP7G trusted microcode implements that security specification, in accordance with EAL 7 requirements. We also discuss the evaluation process, which validated that the formalizations accurately model what was actually designed and built. Finally, we provide an overview of a technique for compositional reasoning at the instruction set level, using a symbolic simulation-based technique.

Efficient Simulation of Formal Processor Models

Computer systems under development are routinely modeled by simulators, and formal verification can be integrated into conventional computer system development by reasoning directly about such simulators. Simulators must be extremely fast to be usable in a real development effort. We have crafted a model for a simple processor in the logic of the ACL2 theorem prover that supports both formal analysis and efficient execution, with performance near that of a simulator written in C. We demonstrate our approach using this simple model and indicate how we applied it to our latest microprocessor.

Transforming the Theorem Prover into a Digital Design Tool: From Concept Car to Off-Road Vehicle

As digital designs grow evermore complex and design cycles become ever shorter, traditional informal methods of design verification are proving inadequate. Design teams are increasingly turning to formal techniques to address this “verification crunch”. The theorem prover, with its emphasis on establishing correctness, is arguably the dream design verification tool; however, theorem provers are rarely used in digital design. Much like automotive industry “concept cars”, theorem provers provide a compelling vision of the future, but in the real world of industrial design they have proven to be difficult to drive and expensive to maintain. We suggest ways that the theorem prover “concept cars” of today can be adapted to become the “off-road vehicles” necessary to negotiate the rough-and-tumble terrain of digital design in the 21st century.

Invariant performance: a statement of task isolation useful for embedded application integration

We describe the challenge of embedded application integration and argue that the conventional formal verification approach of proving abstract behavior is not useful in this domain. We introduce invariant performance, a formulation of task isolation useful for application integration. We demonstrate invariant performance by formalizing it in the logic of PVS for a simple yet realistic embedded system.

Executable formal models for validation and specless verification

Verification and certification of flight critical software and application-specific integrated circuits (ASICs) is currently a labor-intensive, manual process involving extensive testing, inspections, and process documentation. The complexity of these systems and devices will increase both because increases in cockpit automation and application integration offer important safety benefits and because astonishing improvements in digital computing technology can potentially improve performance and decrease cost. The current approach to verification and certification will be challenged by this increased complexity. In order to reap fully the benefits of these technological advances we must develop new methods for verification and certification of flight critical devices that provide higher degrees of assurance for increasingly complex systems while simultaneously streamlining the verification process. The development of executable formal models may offer higher degrees of assurance, address increased complexity, and streamline certain aspects of the verification process. Increased assurance can be obtained as a result of rigorous, mechanical, mathematically complete checks of consistency and completeness of system requirements as well as proofs of correctness of specific implementations. As vector-based testing becomes increasingly inadequate to assure correctness in the face of exponentially growing state space, formal proofs of correctness can encompass the entire design, demonstrating correctness once and for all.